Trend Micro Uncovers DNS-Changing Mac Trojan

Disguised as MacCinema Installer, the Trojan is detected by Trend Micro as OSX_JAHLAV.D and is considered to be an update to the OSX_JAHLAV.C malware identified in June. The malware poses as an Apple QuickTime Player update with the file name QuickTimeUpdate.dmg. Users are prompted to download the malware when viewing certain videos from .com domains with the IP address 91.214.45.73, such as:

â¢ allincorx â¢ bigdron â¢ cikaredo

A full list of the domains can be found here. If a computer is infected, an attacker can reroute the victim's Web traffic to rogue Websites, according to the TrendLabs Malware Blog.

"The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F," wrote Det Caraig, a researcher with Trend Micro. "The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user's activities. This may also cause the user to be redirected to phishing sites or sites [that] other malware may be downloaded from."

Trend Micro officials noted that the domain names have been set up so that if the main IP is taken down, cyber-criminals can easily move the back end to another IP address without the need to change code or scripts. Mac users should stay away from the domains and IP addresses Trend Micro has listed and be wary of prompts to download software updates that do not come from Apple's legitimate Website.